Hey folks,
This year, I’ll be working on creating a digital book that is a collection of Suricata best practices. I want to serve as a kind bridge between how Suricata works, how to reduce noise/fase positives/alert fatigue, how suricata rules work, and how to write your own rules. So far, This is a list of chapters/subjects I’ve identified that I definitely want to cover:
NIDS and IDS Evasion history, its influence on design for both Snort and Suricata
Setting up a rule writing/perf testing environment with Dalton
Understanding the importance of sensor placement
Anatomy of a Suricata 5+ rule
What makes a rule good
Understanding rule performance metrics
How to reduce false positives/alert fatigue
Scenarios/exercises involving malware, pcaps and rule writing (a la malware traffic analysis exercises)
So I don’t know if any of you are familiar with a prior work of mine Building Virtual Machine Labs: A Hands-On Guide, but while I was writing it, I would add new chapters and just share the revisions publicly. After it was all done, I posted it to leanpub and set the minimum price on it to free. I want to do the same thing with this book/guide as well.
So, this is the part where I’m asking you for feedback: What subjects pertaining to suricata or NSM management in general would you want to see covered in such a work? Thank you in advance!